C++: Add testcase demonstrating missing result for 'cpp/invalid-pointer-deref' query.

Author: MathiasVP

cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/pointer-deref/InvalidPointerDeref.expected

@@ -609,6 +609,46 @@ edges
 | test.cpp:180:19:180:28 | call to mk_array_p indirection [begin] | test.cpp:165:29:165:31 | arr indirection [begin] |
 | test.cpp:180:19:180:28 | call to mk_array_p indirection [end] | test.cpp:165:29:165:31 | arr indirection [end] |
 | test.cpp:188:15:188:20 | call to malloc | test.cpp:189:15:189:15 | Load |
+| test.cpp:194:23:194:28 | call to malloc | test.cpp:195:17:195:17 | Load |
+| test.cpp:194:23:194:28 | call to malloc | test.cpp:197:8:197:8 | Load |
+| test.cpp:194:23:194:28 | call to malloc | test.cpp:201:5:201:5 | Load |
+| test.cpp:205:23:205:28 | call to malloc | test.cpp:206:17:206:17 | Load |
+| test.cpp:205:23:205:28 | call to malloc | test.cpp:208:15:208:15 | Load |
+| test.cpp:206:17:206:17 | Load | test.cpp:206:17:206:23 | ... + ... |
+| test.cpp:206:17:206:17 | Load | test.cpp:206:17:206:23 | ... + ... |
+| test.cpp:206:17:206:17 | Load | test.cpp:206:17:206:23 | ... + ... |
+| test.cpp:206:17:206:17 | Load | test.cpp:206:17:206:23 | ... + ... |
+| test.cpp:206:17:206:17 | Load | test.cpp:206:17:206:23 | Store |
+| test.cpp:206:17:206:17 | Load | test.cpp:206:17:206:23 | Store |
+| test.cpp:206:17:206:17 | Load | test.cpp:206:17:206:23 | Store |
+| test.cpp:206:17:206:17 | Load | test.cpp:206:17:206:23 | Store |
+| test.cpp:206:17:206:17 | Load | test.cpp:209:12:209:14 | Load |
+| test.cpp:206:17:206:17 | Load | test.cpp:209:12:209:14 | Load |
+| test.cpp:206:17:206:17 | Load | test.cpp:209:12:209:14 | Load |
+| test.cpp:206:17:206:17 | Load | test.cpp:209:12:209:14 | Load |
+| test.cpp:206:17:206:17 | Load | test.cpp:213:5:213:6 | * ... |
+| test.cpp:206:17:206:17 | Load | test.cpp:213:5:213:6 | * ... |
+| test.cpp:206:17:206:17 | Load | test.cpp:213:5:213:6 | * ... |
+| test.cpp:206:17:206:17 | Load | test.cpp:213:5:213:6 | * ... |
+| test.cpp:206:17:206:17 | Load | test.cpp:213:6:213:6 | Load |
+| test.cpp:206:17:206:17 | Load | test.cpp:213:6:213:6 | Load |
+| test.cpp:206:17:206:17 | Load | test.cpp:213:6:213:6 | Load |
+| test.cpp:206:17:206:17 | Load | test.cpp:213:6:213:6 | Load |
+| test.cpp:206:17:206:23 | ... + ... | test.cpp:206:17:206:23 | Store |
+| test.cpp:206:17:206:23 | ... + ... | test.cpp:206:17:206:23 | Store |
+| test.cpp:206:17:206:23 | ... + ... | test.cpp:209:12:209:14 | Load |
+| test.cpp:206:17:206:23 | ... + ... | test.cpp:213:5:213:13 | Store: ... = ... |
+| test.cpp:206:17:206:23 | ... + ... | test.cpp:213:5:213:13 | Store: ... = ... |
+| test.cpp:206:17:206:23 | Store | test.cpp:209:12:209:14 | Load |
+| test.cpp:206:17:206:23 | Store | test.cpp:213:5:213:13 | Store: ... = ... |
+| test.cpp:206:17:206:23 | Store | test.cpp:213:5:213:13 | Store: ... = ... |
+| test.cpp:209:12:209:14 | Load | test.cpp:213:5:213:13 | Store: ... = ... |
+| test.cpp:209:12:209:14 | Load | test.cpp:213:5:213:13 | Store: ... = ... |
+| test.cpp:213:5:213:6 | * ... | test.cpp:213:5:213:13 | Store: ... = ... |
+| test.cpp:213:5:213:6 | * ... | test.cpp:213:5:213:13 | Store: ... = ... |
+| test.cpp:213:6:213:6 | Load | test.cpp:213:5:213:6 | * ... |
+| test.cpp:213:6:213:6 | Load | test.cpp:213:5:213:13 | Store: ... = ... |
+| test.cpp:213:6:213:6 | Load | test.cpp:213:5:213:13 | Store: ... = ... |
 #select
 | test.cpp:6:14:6:15 | Load: * ... | test.cpp:4:15:4:20 | call to malloc | test.cpp:6:14:6:15 | Load: * ... | This read might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:4:15:4:20 | call to malloc | call to malloc | test.cpp:5:19:5:22 | size | size |
 | test.cpp:8:14:8:21 | Load: * ... | test.cpp:4:15:4:20 | call to malloc | test.cpp:8:14:8:21 | Load: * ... | This read might be out of bounds, as the pointer might be equal to $@ + $@ + 1. | test.cpp:4:15:4:20 | call to malloc | call to malloc | test.cpp:5:19:5:22 | size | size |
@@ -625,3 +665,4 @@ edges
 | test.cpp:110:9:110:14 | Store: ... = ... | test.cpp:82:17:82:22 | call to malloc | test.cpp:110:9:110:14 | Store: ... = ... | This write might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:82:17:82:22 | call to malloc | call to malloc | test.cpp:83:27:83:30 | size | size |
 | test.cpp:157:9:157:14 | Store: ... = ... | test.cpp:143:18:143:23 | call to malloc | test.cpp:157:9:157:14 | Store: ... = ... | This write might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:143:18:143:23 | call to malloc | call to malloc | test.cpp:144:29:144:32 | size | size |
 | test.cpp:171:9:171:14 | Store: ... = ... | test.cpp:143:18:143:23 | call to malloc | test.cpp:171:9:171:14 | Store: ... = ... | This write might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:143:18:143:23 | call to malloc | call to malloc | test.cpp:144:29:144:32 | size | size |
+| test.cpp:213:5:213:13 | Store: ... = ... | test.cpp:205:23:205:28 | call to malloc | test.cpp:213:5:213:13 | Store: ... = ... | This write might be out of bounds, as the pointer might be equal to $@ + $@. | test.cpp:205:23:205:28 | call to malloc | call to malloc | test.cpp:206:21:206:23 | len | len |

cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/pointer-deref/test.cpp

@@ -188,4 +188,27 @@ void test11(unsigned size) {
     char *p = malloc(size);
     char *q = p + size - 1;
     deref_plus_one(q);
-}
+}
+
+void test12(unsigned len, unsigned index) {
+    char* p = (char *)malloc(len);
+    char* end = p + len;
+    
+    if(p + index > end) {
+        return;
+    }
+    
+    p[index] = '\0'; // BAD [NOT DETECTED]
+}
+
+void test13(unsigned len, unsigned index) {
+    char* p = (char *)malloc(len);
+    char* end = p + len;
+    
+    char* q = p + index;
+    if(q > end) {
+        return;
+    }
+    
+    *q = '\0'; // BAD
+}